Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
December 11, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 282
Members: 1
Total: 283

Online Now:
01: mranonx - Forums
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other hashes -> Results in Cain
Post new topic  Reply to topic View previous topic :: View next topic 
Results in Cain
PostPosted: Sun Jan 18, 2009 11:06 am Reply with quote
Hanna313
Active user
Active user
 
Joined: Dec 17, 2008
Posts: 26




Hello,

Cain gave me these results about a friend of mine when i was sniffing on a network.

lm hash: 020E3E793046F14E00000000000000000000000000000000
nt hash: CCF3DD7F07AB31BBB2BB2A31D7331A52C55BE04ECF43191E
challenge: 29738582FE12235E

I got a few questions:

Are the lm and nt hash not too long?
What to do with all those 0000... in the lm hash, can this be right?
What is a challenge?

Hanna313
View user's profile Send private message
PostPosted: Sun Jan 18, 2009 2:03 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




What software did you use to get this data? It's best to use Cain for network sniffing. In this way all needed data is already imported to Cain!
Right now you problem is - how to import this data to Cain, right?
I'm doing some tests about this issue, but it takes some time.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jan 18, 2009 4:33 pm Reply with quote
Hanna313
Active user
Active user
 
Joined: Dec 17, 2008
Posts: 26




Thanks for your reply Waraxe

Yes I used Cain to get this data, but i dont know why the lm hash has all those 0000... in it and if this is okey? and if the nt hash isnt too long.

So in the end can it be cracked?
View user's profile Send private message
PostPosted: Sun Jan 18, 2009 6:40 pm Reply with quote
Henderson
Valuable expert
Valuable expert
 
Joined: Jul 11, 2008
Posts: 58




Hanna313 wrote:
Yes I used Cain to get this data, but i dont know why the lm hash has all those 0000... in it and if this is okey? and if the nt hash isnt too long.


Because these are not regular LM/NTLM hashes but rather response hashes of NTLM challenge-response authentication routine. I believe the hashes you provided are derived from so called "NTLM2 Session Response". Bruteforcing it is possible but very time consuming.
View user's profile Send private message
PostPosted: Sun Jan 18, 2009 6:47 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




This is not NTLM v2, it's v1. V2 is using two challenges.

http://en.wikipedia.org/wiki/NTLM

Code:

NTLMv1

NTLMv1 is a challenge-response authentication protocol. The server authenticates the client by sending an 8-byte random number, the challenge. The client performs an operation involving the challenge and a secret shared between client and server, e.g. a password. The client returns the 24-byte result of the computation. In fact, in NTLMv1 two computations are made using two different shared secrets and two 24-byte results are returned. The server verifies that the client has computed the correct result, and from this infers possession of the secret, and hence the identity of the client.

The two secrets are:

    * the LANMAN Hash of the user's password and
    * the MD4 hash of the user's password

Both these hashes produce 16-byte quantities. Five bytes of zeros are appended to obtain 21 bytes. The 21 bytes are separated in three 7 bytes quantities. Each of these 56 bit quantities is used as a key to DES encrypt the 64 bit challenge. The three encryptions of the challenge are reunited to form the 24-byte response. Both the response using the lanman hash and the MD4 hash (called the NT Hash) are returned as the response.

C = 8-byte server challenge, random
K1 | K2 | K3 = NT-Hash | 5-bytes-0
R1 = DES(K1,C) | DES(K2,C) | DES(K3,C)
K1 | K2 | K3 = LM-Hash | 5-bytes-0
R2 = DES(K1,C) | DES(K2,C) | DES(K3,C)
response = R1 | R2


And probably LM hash is not in use (for example Vista does not use it anymore). Cain is capable of cracking such hashes, but problem is importing them to Cain. This is what i'm doing right now - experimenting and trying to make it work in practice Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jan 18, 2009 7:10 pm Reply with quote
Henderson
Valuable expert
Valuable expert
 
Joined: Jul 11, 2008
Posts: 58




It's not really NTLM v2. "NTLM2 Session Response" is an unofficial term. And it does utilize two challenges - LM response hash is in fact null-padded client challenge.

As for importing the data to Cain, either edit your *.LST file or press insert key while in Cain's cracker and import it from a text file.
View user's profile Send private message
PostPosted: Sun Jan 18, 2009 7:54 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




So what mode in Cain? "LM & NTLM Hashes --> NTLM Session Security Hashes"? And in what form that text file should be? Fields separated by ":"? Can you provide working example of text file, importable to Cain?
I'm currently using Cain on Vista x64 and seems that Cain does not like 64-bit Windows. So I have to test my ideas on VMware and it takes some more time.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jan 18, 2009 8:07 pm Reply with quote
Henderson
Valuable expert
Valuable expert
 
Joined: Jul 11, 2008
Posts: 58




It would be

Code:
UserName:3:29738582FE12235E:020E3E793046F14E00000000000000000000000000000000:CCF3DD7F07AB31BBB2BB2A31D7331A52C55BE04ECF43191E
View user's profile Send private message
PostPosted: Sun Jan 18, 2009 8:39 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Thanks for useful information Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Jan 19, 2009 7:02 pm Reply with quote
Hanna313
Active user
Active user
 
Joined: Dec 17, 2008
Posts: 26




So Waraxe, what do you think?

Can it be cracked? and how can it be cracked?
View user's profile Send private message
PostPosted: Mon Jan 19, 2009 7:57 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Hanna313 wrote:
So Waraxe, what do you think?

Can it be cracked? and how can it be cracked?


Make text file as explained above, then go to Cain, navigate to "Cracker" --> "LM and NTLM Hashes"
--> Press Insert key --> "Add NT Hashes from" pops up --> select "Import hashes from a text file" -->
select that text file --> press Next button ==> hashes are imported

Next choose right algorithm - "NTLM Session Security Hashes" and select either Dictionary or Bruteforce method.

I was not successful with that hash cracking, but i'm short of free time and computing resources.
So my suggestion is to use bruteforce and let your PC or PC-s crack it 24/7 as long as possible.
But of course it all depends on initial plaintext password quality
- strong NT password hashes are practically uncrackable (as for this moments state of computing technology).
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Jan 19, 2009 8:04 pm Reply with quote
Hanna313
Active user
Active user
 
Joined: Dec 17, 2008
Posts: 26




Can't I use LM or NTLM rainbow tables?

Wouldn't that be much faster?
View user's profile Send private message
PostPosted: Mon Jan 19, 2009 8:36 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




No, because of random challenge rainbow tables are not useable.
View user's profile Send private message Send e-mail Visit poster's website
Results in Cain
  www.waraxe.us Forum Index -> All other hashes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.065 Seconds